Upload
vannhi
View
214
Download
0
Embed Size (px)
Citation preview
The 90’s Called: They Want Their Technology Back
SANS ICS Summit
Stephen Hilt @sjhilt
Philippe Lin @miaoski
Legal Disclaimer
It might be illegal to
• Spoof
• Sniff and store the data
• Sniff but not store the data
• Decrypt
3
Huh? It’s already 2016
•To avoid interference
•Places with weak signal
•Physical security standard for SCIF(Sensitive Compartmented Information Facilities)
4
PHS J-88
History of Pagers
•Launched in 1950s in Hospitals in NYC – $12 a month for 25 miles of coverage
•1962 Bell System: radio paging system at the Seattle World’s Fair
•2001 Motorola stopped making new pagers.
•Multiple Protocols in use– POCSAG
– FLEX
– ReFlex, Golay, Inmarsat, etc.
5
6
Pagers Once a Symbol of Cool
In USA143 = I love you
607 = I miss you
406 = Hugs and kisses
911 = Call me now
601 = Happy B-Day
1134209 = Go to h311
Protocol - POCSAG
•Post Office Code Standardization Advisory Group– 512, 1200 and 2400 bps
– Bandwidth 9 kHz, FSK
7
Source: http://www.raveon.com/pd les/AN142(POCSAG).pdf.
32-bit FSC
Protocol - FLEX
8
• By Motorola
• 1600, 3200 or 6400 bps
• Bandwidth 5 kHz, FSK or 4FSK
• Time syncs instead of always listening for a preamble to save battery
• 128 Frames in 4 minute time cycle, 15 cycles per hour
Frequencies
9
•Primary focused areas for our research
Country Frequency (MHz) Protocol
USA
928.964, 929.015, 929.359,
929.562, 929.585, 929.612,
929.630, 929.663, 929.683,
929.785, 929.887, 930.263,
930.762, 930.788, 931.012,
931.038, 931.063, 931.113,
931.463
FLEX
Canada 929.212, 931.612 FLEX
Japan 282.0125, 283.0850,
283.7625, 283.8625 POCSAG
Setup to Sniff Pages
•POCSAG and FLEX
•All can be sniffed with a DVB-T Dongle
•~ $20 at Hak5, Amazon, etc.
10
pager_rx.py
•GNU Radio Python script that sniffs FLEX protocol
•Multiple frequencies at the same time
13
https://github.com/argilo/sdr-examples
Using SMS to Pager Gateway (2)
•CallXPress : Speech-to-text summary
•SPOK : Former USA Mobility
•Can be integrated with phonebook + CallerID
27
Using Email to Pager Gateway (1)
•WhosCalling : Email for missed calls
•WebCTRL®: BAS from Automated LogicSubject: WebCTRL CHW System Alarm (CRMF Chiller BACnet) – [DATETIME]: CRMF Chiller BACnet - Chiller 18 Bacnet communication is offline. (CH18_COMM)
•METASYS®: BAS from Johnson ControlsMSHAADX25-001:FWNAE-02/FC-2.AHU-12.SF-S Item Category FWCH-HVAC
» FQR fully qualified references
28
Security Industry
• CVE-2016-0068 Microsoft® Internet Explorer® Elevation of Privilege Vulnerability
• CVE-2016-0936 Adobe® Acrobat® Memory Corruption Vulnerability
• CVE-2016-0938 Adobe Reader® and Acrobat Memory Corruption Vulnerability
• CVE-2014-1791 Microsoft Internet Explorer Memory Corruption Vulnerability
• CVE-2016-0007 Microsoft Windows Mount Point Privilege Escalation Vulnerability
• CVE-2014-6366 Internet Explorer Memory Corruption Vulnerability
• CVE-2014-0526 Adobe PDF Reader Encoding DCT Vulnerability
• CVE-2015-1666 Internet Explorer CMetaElement code execution
• CVE-2016-0966 Adobe Flash® Player Memory Corruption Vulnerability
• CVE-2016-0091 Windows OLE Memory Remote Code Execution Vulnerability
• CVE-2016-0098 Apache Server Multiple Vulnerabilities
• Apache mod_cgi Bash Environment Variable Code Injection
• Mozilla Firefox nsFrameManager Remote Code Execution Vulnerability
33
Recon
• Alice (505*******), mostly called by Rose (505*******)
• Aaron (505*******), mostly called by unknown (505*******)
• Bruce (--), mostly called Nancy (505*******)
• Charles (--), whose mother is Elizabeth (505*******)
• Charles (--), whose wife is Jenny (505*******)
• David (--), whose wife is Carol (505*******)
• Fred (--), whose wife or girlfriend is Kate (505*******)
35
Attacks
• Industrial– If messages are used for real time communications spoof
pages to cause issues.
– Alert maintenance of an issue, system may be taken offline
– Declaring an emergency inside facilities
– Insider power trading information
• Public Sector– Social engineering
– Impersonate a contractor
– Recon for sensitive places
40
Solutions
• Stop using pagers
• Use encrypted pagers
• Don’t leak personal information if pagers are absolutely required
41
Questions?
• http://documents.trendmicro.com/assets/threat-reports/wp-leaking-beeps-healthcare.pdf
• https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_leaking-beeps-industrial.pdf
• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-leaking-beeps-a-closer-look-at-it-systems-that-leak-pages.pdf
Search: Leaking Beeps
42
@sjhilt @miaoski